Avoid an out-of-bounds read on a recovery attempt using a carefully crafted

database and rollback journal with mismatched page sizes.  The test case for
this is in TH3.

FossilOrigin-Name: 378afa16381a222aafa6009dbbbc92473a69683537f1c265694678b0595a42c8

1 files changed, 4 insertions, 4 deletions

diff --git a/src/pager.c b/src/pager.c
index 4f3f75b6e..87622f83a 100644
--- a/src/pager.c
+++ b/src/pager.c
@@ -2844,12 +2844,13 @@ static int pager_playback(Pager *pPager, int isHot){
   ** pager_playback_one_page() call returns SQLITE_DONE or an IO error 
   ** occurs. 
   */
-  while( 1 ){
+  do{
     /* Read the next journal header from the journal file.  If there are
     ** not enough bytes left in the journal file for a complete header, or
     ** it is corrupted, then a process must have failed while writing it.
     ** This indicates nothing more needs to be rolled back.
     */
+    u32 savedPageSize = pPager->pageSize;
     rc = readJournalHdr(pPager, isHot, szJ, &nRec, &mxPg);
     if( rc!=SQLITE_OK ){ 
       if( rc==SQLITE_DONE ){
@@ -2931,9 +2932,8 @@ static int pager_playback(Pager *pPager, int isHot){
         }
       }
     }
-  }
-  /*NOTREACHED*/
-  assert( 0 );
+    rc = sqlite3PagerSetPagesize(pPager, &savedPageSize, -1);
+  }while( rc==SQLITE_OK );
 
 end_playback:
   /* Following a rollback, the database file should be back in its original